Troubleshooting: ICMP Host Unreachable

ICMP

This article has two messages to deliver. The first being the technical piece where I review what the ICMP message means and what we tried to resolve the issue.  The second is to illustrate the methodology used. I wanted to make those statements because in the past, some readers tend to concentrate too much on the technical information and gloss over the methodology part of the article.

Ok, let’s get to work. In this video, you’ll see that my computer was sending out SNMP packets and the local router was forwarding these packets to the internet. This is primarily due to the router’s default route to the ISP’s router. The ISP router responds with an ICMP host unreachable message.As a side note, the analyst working with me did not capture any ICMP error messages when he attempted to ping a 192.168.1.x address and couldn’t figure out why. Good thing I was there capturing, or he wouldn’t know what he was missing. This was due to his computer firewall/endpoint client software filtering out ICMP packets.

The analyst explained that this router was installed at a remote office as a test. If things work out, they may use this device at all remote sites. They liked the technical specs; it ran Linux and read a lot of good reviews online.wifi monitoringWe tested the previous router and it did not forward private IP addresses to the default route or gateway. In fairness, the client had additional configuration parameters that addressed this issue.

We use packet analysis and various configuration changes in an attempt to eliminate the ICMP error messages. The only thing that worked was routing all packets destined for 192.168.1.x to their local switch. I mention in the video that this is just a bandaid solution and that we should spend more time testing the router’s firewall to see if that would work. Unfortunately, we ran out of time, but the analyst learned the proper methodology to measure the impact of any future changes.

Lastly, I explained to the analyst that I had a bit of a concern that the vendor’s only form of support was to post a question in the community forum. Like all community forums, there is quite a bit of time spent clarifying the issue and trying various solutions.  One post suggested we perform some CLI configuration changes.  The client and I agreed that we are good for now. I suggested that he determine if his reseller has any staff that could help since I thought this was a significant issue.